Getty Images/iStockphoto

Fancy Bear hackers still exploiting Microsoft Exchange flaw

Microsoft and Polish Cyber Command warned enterprises that Russian nation-state hackers are exploiting CVE-2023-23397 to gain privileged access to Exchange email accounts.

A Russian nation-state group continues to exploit a critical Microsoft vulnerability that was patched eight months ago to gain access to emails within victim organizations' Exchange servers.

In March, Microsoft disclosed a zero-day elevation of privilege vulnerability, tracked as CVE-2023-23397, that affects Outlook for Windows and received a critical CVSS score of 9.8. Microsoft published an advisory on March 24 that said evidence of potential exploitation traced back to April 2022.

Microsoft warned that threat actors could exploit the flaw during attacks by sending a specially crafted message that required no user interaction. CISA added CVE-2023-23397 to its Known Exploited Vulnerabilities catalog, which signals a high-priority threat.

Although Microsoft urged users to update Microsoft Outlook as soon as possible due to exploitation activity, organizations remain vulnerable eight months later. In an update to the March blog post on Monday, Microsoft revealed that the Russian state-sponsored threat group it tracks as Forest Blizzard, more commonly known as Fancy Bear or APT 28, continues to exploit CVE-2023-23397 against unpatched instances.

The Polish Cyber Command initially detected the attacks and reported the malicious nation-state activity to Microsoft. Forest Blizzard is exploiting the privilege escalation flaw "to provide secret, unauthorized access to email accounts within Exchange servers," according to Microsoft.

Forest Blizzard is known to target government, energy and transportation companies in the U.S., Europe and the Middle East. The threat group has a history of exploiting zero-day vulnerabilities and using advanced social engineering techniques. Attributed attacks include those against the U.S. Democratic National Committee and the International Olympic Committee.

"Forest Blizzard continually refines its footprint by employing new custom techniques and malware, suggesting that it is a well-resourced and well-trained group posing long-term challenges to attribution and tracking its activities," Microsoft wrote in the blog post.

The Polish Cyber Command provided further insight into Forest Blizzard's activity, which it dubbed the "Silence" campaign in an advisory. The threat group compromised base-level users to eventually gain access to Exchange accounts that might contain high-value information.

Attacks against Microsoft Exchange servers and Outlook email accounts have been increasing. In July, the Chinese-backed Storm-0058 threat group compromised Outlook accounts of U.S. government agencies by infiltrating Microsoft's corporate network and stealing a signing key.

Polish Cyber Command attack analysis

During the Silence campaign, the Polish Cyber Command observed two initial access vectors: brute-force attacks and exploitation of CVE-2023-23397. Exploitation of the Microsoft Exchange flaw allowed the threat group to steal a user's Windows New Technology LAN Manager hash, which is used for password security.

Once Forest Blizzard gained access to an ordinary user's mailbox, operators modified folder permissions for cyberespionage purposes.

"In most cases, the modifications are to change the default permissions of the 'Default' group (all authenticated users in the Exchange organization) from 'None' to 'Owner.' By making this type of modification, the contents of folders that have been granted this permission can be read by any authenticated person within the organization," Polish Cyber Command wrote in the advisory.

Polish Cyber Command observed the adversary modifying folder permissions in mailboxes that contained high-value information. By using the Exchange Web Services protocol, the threat group was able to compromise any email account in the organization. Polish Cyber Command warned enterprises that Forest Blizzard could still be lurking in an Exchange environment even after losing direct access.

"It should be emphasized that the introduction of such modifications allows for the maintenance of unauthorized access to the contents of the mailbox even after losing direct access to it," the advisory said.

Based on the observed activity, Polish Cyber Command assessed that Forest Blizzard has a "thorough knowledge of the architecture and mechanisms of the Microsoft Exchange mail system." In addition, it warned enterprises that identifying attacks will be challenging due to the threat group's effective evasion techniques. Log analysis will be vital in detection and incident response.

The Silence campaign might already have affected government and private sectors worldwide, Polish Cyber Command warned. Mitigation and defense recommendations include running a toolkit provided by the agency, as well as verifying Exchange accounts and mailbox delegation settings.

Microsoft's primary recommendation for mitigating the threat is to apply the patch for CVE-2023-23397, along with resetting passwords for any compromised users, disabling unnecessary services in Exchange and using multifactor authentication.

While a lack of patching has contributed to ongoing exploitation of CVE-2023-23397, other research revealed a previous mitigation bypass. In May, Akamai security researcher Ben Barnea discovered that he could bypass Microsoft's fix by using another critical flaw, tracked as CVE-2023-29324, in an Internet Explorer component. Microsoft released a security update on May 9 to address the threat vector, but Akamai disagreed with the tech giant over the severity rating for CVE-2023-29324.

Arielle Waldman is a Boston-based reporter covering enterprise security news.

Dig Deeper on Threat detection and response